<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:remialcxesans;}
@font-face
{font-family:zone-1;}
@font-face
{font-family:zones-AQ;}
@font-face
{font-family:template-5QSGLunPEem16QANOhMLNA;}
@font-face
{font-family:"Calibri \(Body\)";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Unfortunately, this is just the stuff we know about. The USPTO\u2019s security protocols have been a train wreck for quite some time. See, e.g., this report from 2017: \u201cU.S. PATENT AND TRADEMARK OFFICE Inadequate Security Practices, Including
Impaired Security of Cloud Services, Undermine USPTO\u2019s IT Security Posture\u201d <a href="https://www.oig.doc.gov/OIGPublications/OIG-17-021-A.pdf">
https://www.oig.doc.gov/OIGPublications/OIG-17-021-A.pdf</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The PTO apparently responded to the OIG report. There\u2019s an article about it in the WTR but I\u2019m not a subscriber, and I can\u2019t find anything online in the way of a formal reply.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td style="padding:7.5pt 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:7.5pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif;color:#0F172E">Kevin Grierson</span></b><b><span style="font-size:1.0pt;font-family:remialcxesans;color:white">\u200b</span></b><b><span style="font-size:1.0pt;font-family:template-5QSGLunPEem16QANOhMLNA;color:white">\u200b</span></b><b><span style="font-size:1.0pt;font-family:zone-1;color:white">\u200b</span></b><b><span style="font-size:1.0pt;font-family:zones-AQ;color:white">\u200b</span></b><b><span style="font-family:"Arial",sans-serif;color:#0F172E"><o:p></o:p></span></b></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:1.0pt"><img border="0" width="131" height="34" style="width:1.3645in;height:.3541in" id="Picture_x0020_1" src="cid:image001.png@01DACED5.8AC1E610"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td valign="top" style="padding:2.25pt 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in"></td>
<td style="padding:0in 0in 0in 0in"></td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:1.0pt;color:gray"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="Picture_x0020_2" src="cid:image002.png@01DACED5.8AC1E610" alt="Mobile:"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri \(Body\)";color:gray"> <a href="tel:757-726-7799" target="_blank"><span style="color:gray">757-726-7799</span></a><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:1.0pt;color:gray"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="Picture_x0020_3" src="cid:image003.png@01DACED5.8AC1E610" alt="Fax:"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri \(Body\)";color:gray"> <a href="fax:866-521-5663" target="_blank"><span style="color:gray">866-521-5663</span></a><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:1.0pt;color:gray"><img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="Picture_x0020_4" src="cid:image004.png@01DACED5.8AC1E610" alt="Email:"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri \(Body\)";color:gray"> <a href="mailto:kgrierson@cm.law" target="_blank"><span style="color:gray">kgrierson@cm.law</span></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in"></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> E-trademarks <e-trademarks-bounces@oppedahl-lists.com>
<b>On Behalf Of </b>Tim Ackermann via E-trademarks<br>
<b>Sent:</b> Friday, July 5, 2024 12:01 PM<br>
<b>To:</b> For trademark practitioners. This is not for laypersons to seek legal advice. <e-trademarks@oppedahl-lists.com><br>
<b>Cc:</b> Tim Ackermann <tim@ackermannlaw.com><br>
<b>Subject:</b> Re: [E-trademarks] IG Report - A 3-Year Exposure of Privacy Act-Protected Data Revealed USPTO Mismanagement in Safeguarding the Sensitive PII of Trademark Filers<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<div style="border:solid red 3.0pt;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center;line-height:12.0pt;background:red">
<span style="font-family:"Calibri",sans-serif;color:white">EXTERNAL EMAIL<o:p></o:p></span></p>
</div>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<div>
<p class="MsoNormal">Oh, you missed your deadline by over two months? No problem!<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"> The Department\u2019s breach notification plan states that bureaus and operating units must notify individuals whose data was exposed within 30 days or as expeditiously as practicable and without unreasonable delay. However, USPTO did not
notify affected trademark filers for more than 3 months (105 days) after discovery of the PII exposure on February 24, 2023. <o:p></o:p></p>
</blockquote>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Who could possibly know about editing the URL to access information? Oh... everybody? Well, it is against the ToS! I'm sure it's fine!<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"> USPTO leadership repeatedly stated that access to domicile addresses through URL manipulation would violate the system\u2019s user agreement. However, the user agreement did not absolve USPTO of its responsibility to protect domicile addresses
from unauthorized access through URL manipulation, a basic and well-known technique used by bad actors <o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal">Oh, and we also disclosed other stuff like attorney information, lol! Yes, we promised to keep that masked... Sorry, did we not tell you about that? <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"> In addition to domicile addresses, other data including attorney information, email addresses, and Internet Protocol (IP) addresses were also exposed during this 3-year period. USPTO\u2019s Trademarks Organization did not calculate the number
of filers affected by the exposure of this additional data nor did the office consider this number when addressing the incident. <o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal">Oh, and we did it again! Lmao, we're so much fun!<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"> On April 19, 2024, after the conclusion of our evaluation, USPTO discovered that 14,359 domicile addresses that should have been hidden from public view were inadvertently exposed during the transition to a new IT system. Also exposed
during this incident was the bar information of 16,548 attorneys and the email addresses of 33,501 trademark owners. USPTO concluded that this data was exposed between August 23, 2023, and April 19, 2024. <o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Tim Ackermann<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The Ackermann Law Firm<o:p></o:p></p>
</div>
<p><span style="font-size:7.5pt;font-family:"Verdana",sans-serif">E: <a href="mailto:tim@ackermannlaw.com" target="_blank">tim@ackermannlaw.com</a><br>
P: 817.305.0690<br>
F: 214.453.0810<br>
W: <a href="http://ackermannlaw.com/" target="_blank">ackermannlaw.com</a><br>
O: 1701 W. Northwest Hwy. Ste. 100<br>
Grapevine TX 76051</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Fri, Jun 28, 2024 at 10:43<span style="font-family:"Arial",sans-serif">\u202f</span>AM Pamela Chestek via E-trademarks <<a href="mailto:e-trademarks@oppedahl-lists.com">e-trademarks@oppedahl-lists.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">I just learned of this report:<br>
<br>
"We found that USPTO mishandled the required reporting and notification <br>
to the affected trademark filers after domicile addresses had been <br>
exposed for 3 years. We also found that USPTO leadership allowed <br>
domicile addresses to remain publicly accessible after they were aware <br>
of the exposure, risking unauthorized disclosures in violation of the <br>
Privacy Act. Additionally, USPTO did not report that additional <br>
sensitive PII was exposed during the incident or notify the affected <br>
filers that additional data had been exposed."<br>
<br>
<a href="https://www.oversight.gov/report/DOC/3-Year-Exposure-Privacy-Act-Protected-Data-Revealed-USPTO-Mismanagement-Safeguarding" target="_blank">https://www.oversight.gov/report/DOC/3-Year-Exposure-Privacy-Act-Protected-Data-Revealed-USPTO-Mismanagement-Safeguarding</a><br>
<br>
Pam<br>
<br>
Pamela S. Chestek<br>
Chestek Legal<br>
300 Fayetteville Street<br>
Unit 2492<br>
Raleigh, NC 27602<br>
<a href="mailto:pamela@chesteklegal.com" target="_blank">pamela@chesteklegal.com</a><br>
(919) 800-8033<br>
<a href="http://www.chesteklegal.com/" target="_blank">www.chesteklegal.com</a><br>
<br>
-- <br>
E-trademarks mailing list<br>
<a href="mailto:E-trademarks@oppedahl-lists.com" target="_blank">E-trademarks@oppedahl-lists.com</a><br>
<a href="http://oppedahl-lists.com/mailman/listinfo/e-trademarks_oppedahl-lists.com" target="_blank">http://oppedahl-lists.com/mailman/listinfo/e-trademarks_oppedahl-lists.com</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>